Back to skill

Security audit

ZhenInsure 真机保险 | Insurance Broker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent insurance-chat proxy, but it handles sensitive insurance data and API keys with an under-disclosed configurable destination.

Install only if you trust ZhenInsure and understand that messages may include sensitive insurance, health, or financial details sent to its service and may incur charges. Before use, ensure ZHENINSURE_BASE_URL is unset or points only to a trusted ZhenInsure host, use a limited API key if possible, and avoid sending unnecessary personal or medical information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly demonstrates sending health-related personal data such as age, sex, and hypertension status to a remote insurance consultation API, but provides no privacy notice, consent guidance, data handling statement, or warning that sensitive personal/health information will leave the local environment. In an insurance context, this materially increases the risk of users disclosing regulated or highly sensitive information without understanding retention, sharing, or compliance implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed as a transparent proxy that forwards user-supplied bodies to a third-party backend using the operator's API key, but the documentation provides no privacy, consent, retention, or data-handling warning. Because this skill handles insurance consultation and handoff flows, users are likely to submit sensitive personal and health-related information, creating a real risk of unintended disclosure to an external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The proxy sends both the Authorization bearer token and arbitrary request body content to a configurable base URL derived from context/env without validating that the host is trusted. If an attacker can influence ZHENINSURE_BASE_URL or skill configuration, they can redirect requests to an attacker-controlled server and exfiltrate API keys and sensitive chat or handoff data.

Vague Triggers

Low
Confidence
91% confidence
Finding
The package description says the skill is a 'Transparent API proxy' with 'Zero business logic wrapping' but does not state any trigger scope, caller restrictions, or invocation constraints. For an API-broker skill in insurance/fintech context, this ambiguity can lead to overbroad exposure or unintended invocation by agents/users who should not be able to access the proxy, increasing the chance of misuse or data-handling issues.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly states that user chat messages and human-advisor handoff requests are sent through a third-party API proxy, but it does not provide any clear privacy notice, data-sharing disclosure, retention statement, or warning about transmission of potentially sensitive insurance/health-related information. In an insurance context, users are likely to submit personal and medical details, so the lack of explicit disclosure increases the risk of uninformed consent and privacy harm.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
actions/proxy.js:13

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/test-all.js:215